Saturday, July 20, 2024

Abyss Locker Ransomware Attacks Microsoft Windows and Linux Users

FortiGuard Labs has released a report detailing the emergence and impact of the Abyss Locker ransomware, which has been targeting Microsoft Windows and Linux platforms.

Abyss Locker, believed to be based on the HelloKitty ransomware source code, has been stealing and encrypting victims’ files, demanding ransom for file decryption, and preventing the release of stolen data.

The Abyss Locker ransomware’s wallpaper
The Abyss Locker ransomware’s wallpaper

The severity level of this ransomware is classified as high. The first Abyss Locker sample was detected in July 2023, but the ransomware’s origins may date even further.

The Windows version of Abyss Locker was discovered in January 2024, with a second version shortly after. The Linux variant, which targets VMware ESXi systems, has also been identified.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Attack Method

The Windows version of Abyss Locker performs several actions to ensure the successful encryption of files. It deletes Volume Shadow Copies and system backups using commands like vssadmin.exe delete shadows /all /quiet and wmic SHADOWCOPY DELETE.

It also sets the boot status policy to disable automatic repair and ignore all boot failures.

The ransomware encrypts files and changes the file extension to “.abyss” or a random five-letter extension for the version 1 variant.

A ransom note titled “WhatHappened.txt” is dropped, and the desktop wallpaper is replaced with a message demanding a ransom.

The Linux version of Abyss Locker uses the esxcli command-line tool to manage VMware ESXi systems. It attempts to gracefully shut down running VMs before encrypting files with a “.crypt” extension.

A ransom note with the “.README_TO_RESTORE” extension is created for each encrypted file.

Both versions of the ransomware avoid encrypting specific file extensions and directories to maintain the system’s operability and ensure the victim can communicate with the attackers for ransom negotiation, reads Fortinet report.

Infection Vector

The infection vector for Abyss Locker is not specified, but it is likely similar to other ransomware groups.

Abyss Locker ransomware’s ransom negotiation site
Abyss Locker ransomware’s ransom negotiation site

The ransomware samples have been submitted from various regions, indicating a widespread attack.

While no current data leak site exposes victims’ names, a ransom negotiation site on TOR is available. The ransom demands vary, with higher amounts typically set for consumers.

The Abyss Locker ransomware poses a significant threat to Windows and Linux users, particularly those utilizing VMware ESXi systems.


Abyss Locker Ransomware File IOCs

72310e31280b7e90ebc9a32cb33674060a3587663c0334daef76c2ae2cc2a462Abyss Locker v2 (Linux)
3fd080ef4cc5fbf8bf0e8736af00af973d5e41c105b4cd69522a0a3c34c96b6dAbyss Locker v2 (Windows)
9243bdcbe30fbd430a841a623e9e1bcc894e4fdc136d46e702a94dad4b10dfdcAbyss Locker v1 (Windows)
0763e887924f6c7afad58e7675ecfe34ab615f4bd8f569759b1c33f0b6d08c64Abyss Locker v1 (Windows)
dee2af08e1f5bb89e7bad79fae5c39c71ff089083d65da1c03c7a4c051fabae0Abyss Locker v1 (Windows)
e6537d30d66727c5a306dc291f02ceb9d2b48bffe89dd5eff7aa2d22e28b6d7cAbyss Locker v1 (Windows)
1d04d9a8eeed0e1371afed06dcc7300c7b8ca341fe2d4d777191a26dabac3596Abyss Locker v1 (Windows)
1a31b8e23ccc7933c442d88523210c89cebd2c199d9ebb88b3d16eacbefe4120Abyss Locker v1 (Windows)
25ce2fec4cd164a93dee5d00ab547ebe47a4b713cced567ab9aca4a7080afcb7Abyss Locker v1 (Windows)
b524773160f3cb3bfb96e7704ef31a986a179395d40a578edce8257862cafe5fAbyss Locker v1 (Windows)
362a16c5e86f13700bdf2d58f6c0ab26e289b6a5c10ad2769f3412ec0b2da711Abyss Locker v1 (Windows)
e5417c7a24aa6f952170e9dfcfdf044c2a7259a03a7683c3ddb72512ad0cd5c7Abyss Locker v1 (Windows)
056220ff4204783d8cc8e596b3fc463a2e6b130db08ec923f17c9a78aa2032daAbyss Locker v1 (Windows)
877c8a1c391e21727b2cdb2f87c7b0b37fb7be1d8dd2d941f5c20b30eb65ee97Abyss Locker v1 (Windows)
2e42b9ded573e97c095e45dad0bdd2a2d6a0a99e4f7242695054217e2bba6829Abyss Locker v1 (Windows)

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles